[dns-operations] Verisign won't delete obsolete glue records?

Wessels, Duane dwessels at verisign.com
Tue Mar 2 21:23:08 UTC 2021



> On Mar 2, 2021, at 12:10 PM, Doug Barton <dougb at dougbarton.email> wrote:
> 
> On 3/2/21 11:49 AM, Andrew Sullivan wrote:
>> On Mon, Mar 01, 2021 at 04:35:47PM -0800, Doug Barton wrote:
>>> 
>>> 
>>> Perhaps I didn't ask my question clearly enough. Let's take a delegation for example.com to ns1.example.info and ns2.example.info. There will be no host records at Verisign for those two names, right? 
>> If the registry uses both domain objects and host objects ...
> 
> I think you missed my followup where I indicated that from what I can see, Verisign is creating host objects for every host mentioned in a delegation regardless of bailiwick, but not putting glue records into the zone where they are not needed.

Hi Doug,

Verisign does not create these on its own, but rather requires the registrant to set at least one IP address on what the EPP RFC 5732 calls an "internal host."  Any .COM or .NET host in the registry is considered an internal host.

An internal host can be used as a delegating name server for any .COM or .NET domain in the registry.  The delegation is made in the registry on the creation of a domain or an update of a domain. The host must exist prior to the delegation from a domain, so they must be set with the IP addresses to cover the case of an in-bailiwick name server.

You said "but not putting glue records into the zone where they are not needed."  The only time something like that would happen is for what is called orphan glue.  As has been discussed on this list before, Verisign does not publish orphan glue records in the zone files you can get (e.g. via CZDS) but will include orphan glue records in DNS delegation responses when needed.  But I don't think that's what's happening in your case.

DW


> 
> For peace of mind I would much rather see the IP addresses in those host objects removed when they are not needed as glue, rather than being ignored, since that reduces the chance of a spurious glue record being published accidentally.
> 
> Doug
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://secure-web.cisco.com/11YBI52gE988BTx9qH-YZJ5y3kkSasGz65vyjTzgs3vqRFY7nRoAyfkfxumG1bZPJotjwx4uuIjryH2_f8ueNVktf2X_rFnINGggkxbDxCA3Q0NreJNioDmaQpThWqEd49BUHiEjovZuDVKmAzbGVW1Ky5NolUVR-KMq4Qs-JhSSIZ7hQyTxFf-iwVJe6snj2oLUXSiDqfX2DSPEjtQkxA67-QfywcNTu_e6hvxvMa_Dl_xNgiwCu5J28JCNaZIr2_7o8VDqqoCjcINVEQFSiBg/https%3A%2F%2Flists.dns-oarc.net%2Fmailman%2Flistinfo%2Fdns-operations
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4695 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210302/ae0ada07/attachment.bin>


More information about the dns-operations mailing list